Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

modoboa

Source -

CNAADPNVD

BOS Name -

N/A

CNA CVEs -

15

ADP CVEs -

3

CISA CVEs -

0

NVD CVEs -

16
Related CVEsRelated ProductsRelated AssignersReports
16Vulnerabilities found
CVE-2026-27602
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.2||HIGH
EPSS-0.04% / 10.98%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 18:49
Updated-26 Mar, 2026 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modoboa has an OS Command Injection

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-5690
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 55.77%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 16:22
Updated-11 Sep, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

Action-Not Available
Vendor-modoboamodoboamodoboa
Product-modoboamodoboa/modoboamodoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5689
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.1||HIGH
EPSS-0.14% / 34.02%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 16:22
Updated-11 Sep, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - DOM in modoboa/modoboa

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

Action-Not Available
Vendor-modoboamodoboamodoboa
Product-modoboamodoboa/modoboamodoboa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-5688
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 34.02%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 16:22
Updated-11 Sep, 2024 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - DOM in modoboa/modoboa

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

Action-Not Available
Vendor-modoboamodoboamodoboa
Product-modoboamodoboa/modoboamodoboa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2228
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 33.69%
||
7 Day CHG~0.00%
Published-21 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2227
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.1||CRITICAL
EPSS-77.82% / 99.02%
||
7 Day CHG~0.00%
Published-21 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authorization in modoboa/modoboa

Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-285
Improper Authorization
CVE-2023-2160
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.31% / 54.40%
||
7 Day CHG~0.00%
Published-18 Apr, 2023 | 00:00
Updated-05 Feb, 2025 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak Password Requirements in modoboa/modoboa

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-521
Weak Password Requirements
CVE-2023-0949
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.8||MEDIUM
EPSS-0.15% / 35.17%
||
7 Day CHG~0.00%
Published-22 Feb, 2023 | 00:00
Updated-12 Mar, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Reflected in modoboa/modoboa

Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.5.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0860
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.8||HIGH
EPSS-0.50% / 66.25%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in modoboa/modoboa-installer

Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-installermodoboa/modoboa-installer
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-0777
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.6||HIGH
EPSS-75.02% / 98.89%
||
7 Day CHG~0.00%
Published-10 Feb, 2023 | 00:00
Updated-24 Mar, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass by Primary Weakness in modoboa/modoboa

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CVE-2023-0519
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.1||HIGH
EPSS-0.21% / 43.88%
||
7 Day CHG~0.00%
Published-26 Jan, 2023 | 00:00
Updated-31 Mar, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in modoboa/modoboa

Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0470
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.1||HIGH
EPSS-0.21% / 43.88%
||
7 Day CHG~0.00%
Published-26 Jan, 2023 | 00:00
Updated-31 Mar, 2025 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) - Stored in modoboa/modoboa

Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0438
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.63%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0398
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 29.11%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0406
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 54.71%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19702
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.82% / 74.82%
||
7 Day CHG~0.00%
Published-10 Dec, 2019 | 19:19
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.

Action-Not Available
Vendor-modoboan/a
Product-modoboa-dmarcn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference